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DETAILED ACTION 

1. Claims 20-38 remain pending. 
Claims 1-19 are cancelled. 

Information Disclosure Statement 

2. The information disclosure statement (IDS) submitted on 10/25/2007 was filed 
after the mailing date of the Non-Final Rejection on 5/18/2007. The submission is in 
compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure 
statement is being considered by the examiner. 



Response to Arguments 
3. Applicant's arguments with respect to claims 20-38 have been considered but are 
moot in view of the new ground(s) of rejection. 

Baehr teaches an invention comprising different connections from different 
networl^s via standard network interfaces to the firewall (col.3, lines 36-62). Baehr 
discloses the claimed edge connection corresponding to a network connection as a port 
or network interface that is provided for each of the two networks and one or more ports 
are provided to one or more proxy networks (col.2, lines 8-15). Referring to Fig. 8, 
shows the private network 330 coupled via a network interface 41 0 to the screening 
system, the private network 335 coupled via a network interface 41 5 to the screening 
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system, and the proxy network 430 is coupled to the screen via the network interface 
420 (col.3, lines 36-62 and coL5, lines 35-41). Therefore, this suggests multiple 
connections corresponding to a distinct proxy host (home) through the same screening 
system or multi-homed firewall. Baehr includes two private networks 330 and 335 with 
different connections wherein the private network 330 can assume to be the first 
network (i.e. a corporate domain corp.sun.com - col.5, lines 43-47) and the private 
network 335 refers to the second network (i.e. an engineering domain eng.sun.com - 
col.5, lines 39-42). Baehr further discloses the proxy network includes proxies (virtual 
hosts) for both the eng.sun.com and corp.sun.com (col.5, lines 50-52). Thus, suggests 
that both private networks include their own set of virtual proxy hosts. The claimed first 
edge connection conresponding to the first network connection can be the network 
interface connecting to a corresponding private network 335. The claimed second edge 
connection con^esponding to first network connection can be the second network 
interface connecting to the second private network 330. Thus, obviously suggests a 
first edge connection comprising a first set of virtual hosts from a first network and a 
second edge connection comprising a second set of virtual hosts from a second 
network. Baehr discloses that the private network includes hosts and a proxy network 
includes a proxy virtual host minroring each of a subset (or all) of the hosts (col.4, lines 
25-50). Baehr's proxy hosts or servers are referring to the claimed virtual hosts. 
According to Baehr, each of the proxy host of the proxy network conresponds to one of 
the actual hosts within the private network (col.4, lines 31-39 and 49-50). Thus, Baehr 
obviously suggests an actual host of the private network is the claimed distinct home 
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and that each proxy host amongst the set of virtual hosts corresponds to a distinct host 
(home) between the first and second networks through the firewall (col.4, lines 33-37 
and Fig.8). 

Rosotoker teaches the conversion between a network protocol (i.e. IP-compliant) 
and the data protocol (i.e. non-IP compliant) used to handle large data streams such as 
MPEG packets but not limited to these particular protocols (col.25, lines 44-53). By 
translating outgoing packets in any protocol obviously can transfomri the IP-compliant 
traffic into a non-IP protocol appropriate for a destination. Hence, Rosotoker obviously 
suggests an IP-compliant network and a private network through which a connection 
may be made. Thus, It would have been obvious for a person of ordinary skills in the art 
to combine Baehr with Rosotoker to teach translation/conversion from one protocol to 
another (Rosotoker - coi.i8, lines 5-10) through which a connection may be made between 
said IP-compliant network and said private network because translating to a different 
protocol can accommodate the data stream of a non-IP compliant destination and 
providing connections to different network protocols to provide multiple external 
communication port connections transparent to the destined (Rosotoker-col.25, lines 
34-37 and 44-52). 



r 
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Claim Rejections - 35 USC § 103 

The following Is a quotation of 35 U.S.C. 103(a) which fomris the basis for all obviousness 
rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

4. Claims 20-38 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Baehr, et al. (US 5,802,320) in view of Rosotolcer, et al. (US 5,708,659). 

As per claim 20: 

Baehr discloses a load-sharing server multi-homed firewall array comprising: 
an array of firewall machines coupled in parallel with an [IP-compliant network]] 

(col.2, lines 8-15 and coL3, lines 15-22 and 50-67) 

each of the firewall machines of the array further comprising: 

a first edge connection corresponding to a first network connection and a second 

edge connection corresponding to a second network connection: (coL3, lines 36-62 and 

Figs.5 and 8) 

said first edge and second edge connection further comprising a first and second 
set of virtual hosts, said first set of virtual hosts [configured to interface an associated 
firewall machine with said IP-compliant network] and said second set of virtual hosts 
configured to interface an associated firewall machine with a private network; (coL4, 
lines 25-50 and col.8, lines 40-45) 
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each of said virtual hosts of said first and second set corresponding to a distinct 
home (Fig.6 and coL4, lines 32-37 and 49-51) through which a connection may be made 
between said [IP-compliant network] and said private network; (col.5, lines 30-52 and 
col.10, lines 7-31) 

DNS functionality associated with each of firewall machines of the array; (coL6, 
lines 5-10 and 58-67) 

a master configuration file associated with each of the firewall machines; and 
(col.6, lines 30-55 and col.8, lines 12-27) 

wherein an ensuing connection request is mapped to the first firewall machine of 
the array to respond to a DNS request associated with said ensuing connection request. 
(colJ, lines 28-34 and coi8, line 58 - coL9, line 5)) 

According to the applicant's specification (pg.16) that each virtual host 
corresponds to a "home" (i.e. site) via connection made between the two networks and 
that homes are synonymous to virtual hosts. So with the specification In mind, 
Examiner broadly interprets for each of the virtual hosts corresponding to a distinct 
home is where each virtual host relates to a real host or an actual host (home) of one of 
the networks. Thus, for purposes of applying art, the virtual host specific or distinct to 
its actual host (home) is one in the same when being referenced to for connection 
between the networks. 

Baehr discloses that the private network includes hosts and a proxy network 
includes a proxy virtual host mirroring each of a subset (or all) of the hosts (col.4, lines 
25-50). Baehr's proxy hosts or servers are referring to the claimed virtual hosts. 
According to Baehr, each of the proxy host of the proxy network corresponds to one of 
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the actual hosts within the private network (col.4, lines 31-39 and 49-50). Thus, Baehr 
obviously suggests an actual host of the private network is the claimed distinct home 
and that each proxy host amongst the set of virtual hosts corresponds to a distinct host 
(home) between the first and second networks through the firewall (eol.4, lines 33-37 
and Fig.8). 

Baehr teaches an invention comprising the private network coupled via a 
standard networi^ interface to the screening system, the public network is coupled to the 
screen via another network interface, and the proxy network is coupled to the screen via 
the networi< interface (Fig.5 and 8 and col.5, lines 35-41). Based on the infomiation 
from the packet would indicate the state of the connection to a particular host or service 
in the network (col.6, lines 44-45) and such infomiation determines whether the source 
host is in the expected domain (col.6, lines 48-53). The domains communicate with one 
another through a screen or a conventional firewall via a connection (col.5, lines 45-47). 
Baehr discloses a screening system which is configured to handle all of the 
conventional firewall functions plus the screening functions and different connections 
from different networks via standard network interfaces to the firewall (col.3, lines 36- 
62). Baehr discloses the claimed edge connection corresponding to a network 
connection as a port or network interface that is provided for each of the two networks 
and one or more ports are provided to one or more proxy networks (col.2, lines 8-15). 
Therefore, Bear reads on the claimed multi-homed firewall. 

Referring to Fig. 5 and 8, shows the private network 330 coupled via a network 
interface 410 to the screening system, the private networi^ 335 coupled via a networi< 
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interface 415 to the screening system, and the proxy network 430 is coupled to the 
screen via the network interface 420 (col.3, lines 36-62 and col.5, lines 35-41), Baehr 
includes two private hetworks 330 and 335 with different connections wherein the 
private network 330 can assume to be the first network (i.e. a corporate domain 
corp.sun.com - col.5, lines 43-47) and the private network 335 refers to the second 
network (I.e. an engineering domain eng.sun.com - coL5, lines 39-42). Baehr further 
discloses the proxy network includes proxies (virtual hosts) for both the eng.sun.com 
and corp.sun.com (col.5, lines 50-52). Thus, suggests the two different private 
networks Include their own set of virtual proxy hosts. The claimed first edge connection 
corresponding to the first network connection can be the network interface connecting to 
a corresponding private network 335. The claimed second edge connection 
corresponding to first network connection can be the second network interface 
connecting to the second private network 330. Thus, obviously suggests a first edge 
connection comprising a first set of virtual hosts for processing connection requests 
from a first network and a second edge connection comprising a second set of virtual 
hosts for processing connection requests from a second network (col.5, lines 50-52 and 
Fig.8). Although, Baehr discloses virtual hosts and ensuing connection request is 
mapped to the firewall machine of the anray to respond to a DNS request associated 
with said ensuing connection request (col.6, lines 5-62 and col.7, lines 28-34). 
However, the connection request does not involve an IP-compliant network and a 
private network through which a connection may be made between said IP-compliant 
network and said private network. 
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Rosotoker discloses network technology has suffered from limitations resulting 
from a proliferation of non-standard protocols, and limitations due to the nature of the 
protocols and transmission schemes, which are employed (col.2, lines 22-26). 
Rosotoker discloses that under heavy traffic, any attempt to determine to which port a 
packet must be switched must be accomplished speedily to avoid slowing throughput of 
the network (col.2, lines 41-45). Rosotoker discusses the network protocol processing 
system Interconnection comprises packet conversion logic for conversion between 
network protocol (col.4, line 66 - col.5, line 1) where the invention is not necessarily 
limited to the particular protocols and standards used (col.25, lines 45-52). Rosotoker 
discusses the remote node connections typically exchange packets of data in Novell 
IPX, Microsoft NetBEUI, or Internet IP fomnat (col.7, lines 65-67). Thus, depending 
upon the protocol employed internally the data received over a particular port may 
require translation from one protocol to another (col. 18, lines 5-10) obviously suggests 
the received IP-compliant traffic being destined for said non-IP compliant destination. 
Further, Rosotoker discloses translating incoming packets in any protocol and outgoing 
packets in any different protocol (col.9, lines 28-31 ). Rosotoker discusses the ATM 
protocol is preferred but can use other protocols (col. 8, lines 55-58). Rosotoker teaches 
the conversion between a network protocol (i.e. IP-compliant) and the data protocol (i.e. 
non-IP compliant) used to handle large data streams such as MPEG packets but not 
limited to these particular protocols (col.25, lines 44-53). By translating outgoing 
packets in any protocol obviously can transform the IP-compliant traffic into a non-IP 
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protocol appropriate for a destination. Hence, Rosotoker obviously suggests an IP- 
compliant network and a private network through which a connection may be made. 

Therefore, it would have been obvious for a person of ordinary skills in the art to 
combine Baehr teaching network connectivity by allowing connections to be established 
with the virtual hosts with Rosotoker to teach translation/conversion from one protocol to 
another (Rosotoker - coi.i8. lines 5-10) through which a connection may be made between 
said IP-compliant network and said private network because translating to a different 
protocol can accommodate the data stream of a non-IP compliant destination and 
providing connections to different network protocols to provide multiple external 
communication port connections transparent to the destined (Rosotoker-col.25, lines 
34-37 and 44-52). 

As per claim 21: See Baehr on col.6, lines 5-10 and 58-67 and col.7, lines 28-34; 

discussing load-sharing multi-homed firewall array of claim 20, wherein a connection 

request received from the IP-compliant network is mapped to said first set of virtual 

hosts on the first firewall machine of the array to respond to a DNS request. 

As per claim 22: See Baehr on col.6, lines 5-10 and 58-67 and col.7, lines 28-34;; 

discussing load-sharing multi-homed firewall array of claim 20, wherein a connection 

request received from the private network is mapped to said second set of virtual hosts 

on the first firewall machine of the array to respond to a DNS request. 

As per claim 23: See Baehr on col.5, lines 30-35 and col.6, lines 18-25 and col.10, 

lines 7-31; discussing load-sharing multi-homed firewall array of claim 20, wherein each 

of said firewall machines further comprises a special-purpose virtual host including an 
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HTML-based configuration module for updating said master configuration files over said 
IP-compliant network. 

As per claim 24: See Baehr on col.4, lines 25-50 and col.8, lines 40-45 and; 

discussing load-sharing multi-homed firewall array of claim 23, wherein each of said 
firewall machines includes N + 1 sets of virtual hosts. 
As per claim 25: 

Baehr discloses a load-sharing multi-homed firewall array comprising: 
means for coupling a plurality of firewall means in parallel with [an IP-compliant 
network]] (coL2, lines 8-15 and coL3, lines 15-22 and 50-67) 

each of the firewall machines of the array further comprising: 
a first edge connection means corresponding to a first network connection and a 
second edge connection means corresponding to a second network connection; (coL3, 
lines 36-62 and Figs.5 and 8) 

said first edge and second edge connection means further comprising a first set 
of virtual host means interfacing an associated firewall means [with said IP-compliant 
network] and said second set of virtual host means interfacing an associated firewall 
means with a private network; (coL4, lines 25-50 andcol.8, lines 40-45) 

each of said virtual hosts of said first and second set corresponding to a distinct 
home (Fig.6 andcol.4, lines 32-37and 49-51) through which a connection may be made 
between said [IP-compliant network] and said private network; (col.5, lines 30-52 and 
coLIO, lines 7-31) 

means for providing DNS functionality associated with each of firewall means; 
(col.6, lines 5-10 and 58-67) 
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master configuration means associated with each of the firewall machines; and 
(col.6, lines 30-55 andcol.8, lines 12-27) 

means for mapping an ensuing connection request to the first firewall means to 
respond to a DNS request associated with said ensuing connection request. (coL7, lines 
28-34 and col.8, line 58 - co/.9, line 5) 

According to the applicant's specification (pg.16) that each virtual host 
corresponds to a "home" (i.e. site) via connection made between the two networks and 
that homes are synonymous to virtual hosts. So with the specification in mind, 
Examiner broadly interprets for each of the virtual hosts corresponding to a distinct 
home is where each virtual host relates to a real host or an actual host (home) of one of 
the networks. Thus, for purposes of applying art, the virtual host specific or distinct to 
its actual host (home) is one in the same when being referenced to for connection 
between the networks. 

Baehr discloses that the private network includes hosts and a proxy network 
includes a proxy virtual host mirroring each of a subset (or all) of the hosts (col.4, lines 
25-50). Baehr's proxy hosts or servers are referring to the claimed virtual hosts. 
According to Baehr, each of the proxy host of the proxy network con^esponds to one of 
the actual hosts within the private network (col.4, lines 31-39 and 49-50). Thus. Baehr 
obviously suggests an actual host of the private network is the claimed distinct home 
and that each proxy host amongst the set of virtual hosts corresponds to a distinct host 
(home) between the first and second networks through the firewall (col.4, lines 33-37 
and Fig.8). 
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Baehr teaches an invention comprising tlie private network coupled via a 
standard network interface to the screening system, the public network is coupled to the 
screen via another network interface, and the proxy network is coupled to the screen via 
the network interface (Fig.5 and 8 and col.5, lines 35-41). Based on the infonnatlon 
from the packet would indicate the state of the connection to a particular host or service 
in the network (col.6, lines 44-45) and such information determines whether the source 
host is in the expected domain (col.6, lines 48-53). The domains communicate with one 
another through a screen or a conventional firewall via a connection (col.5, lines 45-47). 
Baehr discloses a screening system which is configured to handle all of the 
conventional firewall functions plus the screening functions and different connections 
frpm different networks via standard network interfaces to the firewall (col.3, lines 36- 
62). Baehr discloses the claimed edge connection corresponding to a network 
connection as a port or network interface that is provided for each of the two networks 
and one or more ports are provided to one or more proxy networks (col.2, lines 8-15). 
Therefore, Bear reads on the claimed multi-homed firewall. 

Referring to Fig. 5 and 8, shows the private network 330 coupled via a network 
interface 410 to the screening system, the private network 335 coupled via a network 
interface 415 to the screening system, and the proxy network 430 is coupled to the 
screen via the network interface 420 (col.3, lines 36-62 and col.5. lines 35-41). Baehr 
includes two private networks 330 and 335 with different connections wherein the 
private network 330 can assume to be the first network (i.e. a corporate domain 
corp.sun.com - col.5, lines 43-47) and the private network 335 refers to the second 
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network (i.e. an engineering domain eng.sun.com - coL5, lines 39-42). Baehr further 
discloses the proxy network includes proxies (virtual hosts) for both the eng.sun.com 
and corp.sun.com (col.5, lines 50-52). Thus, suggests the two different private 
networks include their own set of virtual proxy hosts. The claimed first edge connection 
corresponding to the first network connection can be the network interface connecting to 
a corresponding private network 335. The claimed second edge connection 
corresponding to first network connection can be the second network interface 
connecting to the second private network 330. Thus, obviously suggests a first edge 
connection comprising a first set of virtual hosts for processing connection requests 
from a first network and a second edge connection comprising a second set of virtual 
hosts for processing connection requests from a second network (col.5, lines 50-52 and 
Fig.8). Although, Baehr discloses virtual hosts and ensuing connection request is 
mapped to the firewall machine of the array to respond to a DNS request associated 
with said ensuing connection request (col.6, lines 5-62 and colJ, lines 28-34). 
However, the connection request does not involve an IP-compliant network and a 
private network through which a connection may be made between said IP-compliant 
network and said private network. 

Rosotoker discloses network technology has suffered from limitations resulting 
from a proliferation of non-standard protocols, and limitations due to the nature of the 
protocols and transmission schemes, which are employed (col.2, lines 22-26). 
Rosotoker discloses that under heavy traffic, any attempt to determine to which port a 
packet must be switched must be accomplished speedily to avoid slowing throughput of 
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the network (col.2, lines 41-45). Rosotoker discusses the network protocol processing 
system interconnection comprises packet conversion logic for conversion between 
network protocol (col.4, line 66 - col.5, line 1 ) where the invention is not necessarily 
limited to the particular protocols and standards used (coL25, lines 45-52). Rosotoker 
discusses the remote node connections typically exchange packets of data in Novell 
IPX, Microsoft NetBEUI, or Internet IP fomiat (col.7, lines 65-67). Thus, depending 
upon the protocol employed internally the data received over a particular port may 
require translation from one protocol to another (col.18, lines 5-10) obviously suggests 
the received IP-compliant traffic being destined for said non-IP compliant destination. 
Further, Rosotoker discloses translating incoming packets in any protocol and outgoing 
packets in any different protocol (col.9, lines 28-31). Rosotoker discusses the ATM 
protocol is preferred but can use other protocols (col.8, lines 55-58). Rosotoker teaches 
the conversion between a network protocol (i.e. IP-compliant) and the data protocol (i.e. 
non-IP compliant) used to handle large data streams such as MPEG packets but not 
limited to these particular protocols (col.25, lines 44-53). By translating outgoing 
packets in any protocol obviously can transform the IP-compliant traffic into a non-IP 
protocol appropriate for a destination. Hence, Rosotoker obviously suggests an IP- 
compliant network and a private network through which a connection may be made. 

Therefore, it would have been obvious for a person of ordinary skills in the art to 
combine Baehr teaching network connectivity by allowing connections to be established 
with the virtual hosts with Rosotoker to teach translation/conversion from one protocol to 
another (Rosotoker - col.18, lines 5-10) through which a connection may be made between 
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said IP-compliant network and said private network because translating to a different 
protocol can accommodate the data stream of a non-IP compliant destination and 
providing connections to different network protocols to provide multiple external 
communication port connections transparent to the destined (Rosotoker-col.25, lines 
34-37 and 44-52). 

As per claim 26: See Baehr on col.6, lines 5-10 and 58-67 and col.7, lines 28-34;; 

discussing load-sharing multi-homed firewall array of claim 25, further comprising 
means for mapping a connection request received from the IP-compliant network to said 
first set of virtual host means on the first firewall means to respond to a DNS request. 
As per claim 27: See Baehr on col.6, lines 5-10 and 58-67 and col.7, lines 28-34;; 
discussing load-sharing multi-homed firewall anray of claim 25, further comprising 
means for mapping a connection request received from the private network to said 
second set of virtual host means on the first firewall means to respond to a DNS 
request. 

As per claim 28: See Baehr on col.5, lines 30-35 and col.6, lines 18-25 and col.10, 
lines 7-31 ; discussing load-sharing multi-homed firewall an-ay of claim 25, further 
comprising HTML-based configuration means for updating said master configuration 
means over said IP-compliant network. 

As per claim 29: See Baehr on col.4, lines 25-50 and col.8, lines 40-45 and; 

discussing load-sharing multi-homed firewall array of claim 28. wherein each of said 
firewall means includes N + 1 sets of virtual host means. 
As per claim 30: 



Application/ Control Number: 10/701,011 Page 17 

Art Unit: 2135 

Baehr discloses a load-sharing multi-homed firewall array comprising: 

an array of firewall machines coupled in a parallel with an [IP-compliant network]; 

(coL2, lines 8-15 and coL3, lines 15-22 and 50-67) 

each of the firewall machines of the array further comprising: 

a first edge connection corresponding to a first network connection and a second 

edge connection corresponding to a second network connection: (coL3, lines 36-62 and 

Figs.5 and 8) 

said first edge and second edge connection further comprising at least a first and 
second set of virtual hosts, said first set of virtual hosts (Fig,6) [configured to interface 
an associated firewall machine with said IP-compliant network] and said second set of 
virtual hosts configured to interface an associated firewall machine with a private 
network; (coL4, lines 25-50 and col.8, lines 40-45) 

DNS functionality associated with each of firewall machines of the array; (co/.6, 
lines 5-10 and 58-67) 

a master configuration file associated with each of the firewall machines; (coL6, 
lines 30-51 and coL8, lines 12-27) 

a special-purpose virtual host including an HTML-based configuration module for . 
updating said master configuration files using a point-and-click interface over said [IP- 
compliant network]', and (col.5, lines 30-35 and col.6, lines 18-25 and col.10, lines 7-31) 

wherein an ensuing connection request is mapped to the first firewall machine of 
the an^ay to respond to a DNS request associated with said ensuing connection request. 
(coL7, lines 28-34 and col. 8, line 58 - col.9, line 5) 
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According to the applicant's specification (pg.16) tfiat eacli virtual host 
conresponds to a "home" (i.e. site) via connection made between the two networks and 
that homes are synonymous to virtual hosts. So with the specification in mind, 
Examiner broadly interprets for each of the virtual hosts corresponding to a distinct 
home is where each virtual host relates to a real host or an actual host (home) of one of 
the networks. Thus, for purposes of applying art, the virtual host specific or distinct to 
its actual host (home) is one in the same when being referenced to for connection 
between the networks. 

Baehr discloses that the private network includes hosts and a proxy network 
includes a proxy virtual host mirroring each of a subset (or all) of the hosts (col.4, lines 
25-50). Baehr's proxy hosts or servers are referring to the claimed virtual hosts. 
According to Baehr, each of the proxy host of the proxy network corresponds to one of 
the actual hosts within the private network (col.4, lines 31-39 and 49-50). Thus, Baehr 
obviously suggests an actual host of the private network is the claimed distinct home 
and that each proxy host amongst the set of virtual hosts corresponds to a distinct host 
(home) between the first and second networks through the firewall (col.4, lines 33-37 
and Fig.8). 

Baehr teaches an invention comprising the private network coupled via a 
standard network interface to the screening system, the public network is coupled to the 
screen via another network interface, and the proxy network is coupled to the screen via 
the network interface (Fig. 5 and 8 and col.5, lines 35-41). Based on the infonnation 
from the packet would indicate the state of the connection to a particular host or service 
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in the network (col.6, lines 44-45) and such information determines whether the source 
host is in the expected domain (col.6, lines 48-53). The domains communicate with one 
another through a screen or a conventional firewall via a connection (col.5, lines 45-47). 
Baehr discloses a screening system which is configured to handle all of the 
conventional firewall functions plus the screening functions and different connections 
from different networks via standard network interfaces to the firewall (coL3, lines 36- 
62). Baehr discloses the claimed edge connection corresponding to a network 
connection as a port or network interface that is provided for each of the two networks 
and one or more ports are provided to one or more proxy networks (col.2, lines 8-15). 
Therefore, Bear reads on the claimed multi-homed firewall. 

Referring to Fig. 5 and 8, shows the private network 330 coupled via a network 
interface 410 to the screening system, the private network 335 coupled via a network 
interface 415 to the screening system, and the proxy network 430 is coupled to the 
screen via the network interface 420 (col.3, lines 36-62 and col.5, lines 35-41). Baehr 
includes two private networks 330 and 335 with different connections wherein the 
private network 330 can assume to be the first network (i.e. a corporate domain 
corp.sun.com - col.5, lines 43-47) and the private network 335 refers to the second 
network (i.e. an engineering domain eng.sun.com - col.5, lines 39-42). Baehr further 
discloses the proxy network includes proxies (virtual hosts) for both the eng.sun.com 
and corp.sun.com (col.5, lines 50-52). Thus, suggests the two different private 
networks include their own set of virtual proxy hosts. The claimed first edge connection 
corresponding to the first network connection can be the network interface connecting to 
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a corresponding private network 335. The claimed second edge connection 
conresponding to first network connection can be the second network interface 
connecting to the second private network 330. Thus, obviously suggests a first edge 
connection comprising a first set of virtual hosts for processing connection requests 
from a first network and a second edge connection comprising a second set of virtual 
hosts for processing connection requests from a second network (col.5. lines 50-52 and 
Fig.8). Although, Baehr discloses virtual hosts and ensuing connection request is 
mapped to the firewall machine of the array to respond to a DNS request associated 
with said ensuing connection request (col.6, lines 5-62 and coL7, lines 28-34). 
However, the connection request does not involve an IP-compliant network and a 
private network through which a connection may be made between said IP-compliant 
network and said private network. 

Rosotoker discloses network technology has suffered from limitations resulting 
from a proliferation of non-standard protocols, and limitations due to the nature of the 
protocols and transmission schemes, which are employed (coL2, lines 22-26). 
Rosotoker discloses that under heavy traffic, any attempt to determine to which port a 
packet must be switched must be accomplished speedily to avoid slowing throughput of 
the network (col.2, lines 41-45). Rosotoker discusses the network protocol processing 
system interconnection comprises packet conversion logic for conversion between 
network protocol (col.4, line 66 - col.5, line 1) where the invention is not necessarily 
limited to the particular protocols and standards used (col.25, lines 45-52). Rosotoker 
discusses the remote node connections typically exchange packets of data in Novell 
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IPX, Microsoft NetBEUI, or Internet IP format (col.7, lines 65-67). Thus, depending 
upon the protocol employed internally the data received over a particular port may 
require translation from one protocol to another (col.18, lines 5-10) obviously suggests 
the received IP-compliant traffic being destined for said non-IP compliant destination. 
Further, Rosotoker discloses translating incoming packets in any protocol and outgoing 
packets in any different protocol (col.9, lines 28-31 ). Rosotoker discusses the ATM 
protocol is preferred but can use other protocols (col.8, lines 55-58). Rosotoker teaches 
the conversion between a network protocol (i.e. IP-compliant) and the data protocol (i.e. 
non-IP compliant) used to handle large data streams such as MPEG packets but not 
limited to these particular protocols (col.25, lines 44-53). By translating outgoing 
packets in any protocol obviously can transform the IP-compliant traffic into a non-IP 
protocol appropriate for a destination. Hence, Rosotoker obviously suggests an IP- 
compliant network and a private network through which a connection may be made. 

Therefore, it would have been obvious for a person of ordinary skills in the art to 
combine Baehr teaching network connectivity by allowing connections to be established 
with the virtual hosts with Rosotoker to teach translation/conversion from one protocol to 
another (Rosotoker -col.18, lines 5-10) through which a connection may be made between 
said IP-compliant network and said private network because translating to a different 
protocol can accommodate the data stream of a non-IP compliant destination and 
providing connections to different network protocols to provide multiple external 
communication port connections transparent to the destined (Rosotoker-col.25, lines 
34-37 and 44-52). 
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As per claim 31: See Baehr on col.6, lines 5-10 and 58-67 and col.7, lines 28-34; 

discussing load-sharing multi-homed firewall array of claim 30, wherein: connection 
request received from the IP-compliant network is mapped to said first set of virtual 
hosts on the first firewall machine of the array to respond to a DNS request. 
As per claim 32: See Baehr on col.6, lines 5-10 and 58-67 and col.7, lines 28-34; 
discussing load-sharing multi-homed firewall array of claim 30, wherein connection 
request received from the private network is mapped to said second set of virtual hosts 
on the first firewall machine of the array to respond to a DNS request. 
As per claim 33: See Baehr on col.5, lines 30-35 and col.6, lines 18-25 and col.10, 
lines 7-31; discussing load-sharing multi-homed firewall array of claim 30, wherein each 
of said firewall machines further comprises a special-purpose virtual host including an 
HTML-based configuration module for updating said master configuration files over said 
IP-compliant network. 

As per claim 34: See Baehr on col.4, lines 25-50 and col.8, lines 40-45; discussing 
load-sharing multi-homed firewall array of claim 33, wherein each of said firewall 
machines includes N + 1 sets of virtual hosts. 
As per claim 35: 

Baehr discloses a load-sharing multi-homed firewall array comprising: 
means for coupling a plurality of firewall means in parallel with [an IP-compliant 
network]] (col.2, lines 8-15 and co/.3, lines 15-22 and 50-67) 

each of the firewall machines of the array further comprising: 
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a first edge connection means corresponding to a first network connection and a 
second edge connection means corresponding to a second network connection: (coL3, 
lines 36-62 and Figs.5 and 8) 

. said first edge and second edge connection means further comprising a first set 
of virtual host means interfacing an associated firewall means (Fig.6) [with said IP- 
compliant network] and said second set of virtual host means interfacing an associated 
firewall machine with a private network; (col.4, lines 25-50 and coL8, lines 40-45) 

means for providing DNS functionality associated with each of firewall means; 
(coL 6, lines 5-10 and 58-67) 

master configuration means associated with each of the firewall machines; (coL6, 
lines 30-51 and col.8, lines 12-27) 

an HTML-based configuration means for updating said master configuration 
means using a point-and-click interface over said [IP-compliant networf<]\ and (col.5, 
lines 30-35 and coL6, lines 18-25 and col.lO, lines 7-31) 

means for mapping an ensuing connection request to the first firewall means to 
respond to a DNS request associated with said ensuing connection request. fco/.7, lines 
28-34 and coL8, line 58 - co/-9, line 5) 

According to the applicant's specification (pg.16) that each virtual host 
corresponds to a "home" (i.e. site) via connection made between the two networks and 
that homes are synonymous to virtual hosts. So with the specification in mind, 
Examiner broadly interprets for each of the virtual hosts corresponding to a distinct 
home is where each virtual host relates to a real host or an actual host (home) of one of 
the networks. Thus, for purposes of applying art, the virtual host specific or distinct to 
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its actual host (home) is one in the same when being referenced to for connection 
between the networks. 

Baehr discloses that the private network includes hosts and a proxy network 
includes a proxy virtual host mirroring each of a subset (or all) of the hosts (col.4, lines 
25-50). Baehr's proxy hosts or servers are referring to the claimed virtual hosts. 
According to Baehr, each of the proxy host of the proxy network corresponds to one of 
the actual hosts within the private network (coL4, lines 31-39 and 49-50). Thus, Baehr 
obviously suggests an actual host of the private network is the claimed distinct home 
and that each proxy host amongst the set of virtual hosts con^esponds to a distinct host 
(home) between the first and second networks through the firewall (col.4, lines 33-37 
and Fig.8). 

Baehr teaches an invention comprising the private network coupled via a 
standard network interface to the screening system, the public network is coupled to the 
screen via another network interface, and the proxy network is coupled to the screen via 
the network Interface (Fig. 5 and 8 and col,5, lines 35-41). Based on the infomnation 
from the packet would indicate the state of the connection to a particular host or service 
in the network (col.6, lines 44-45) and such information detemiines whether the source 
host is in the expected domain (col.6, lines 48-53). The domains communicate with one 
another through a screen or a conventional firewall via a connection (coL5, lines 45-47). 
Baehr discloses a screening system which is configured to handle all of the 
conventional firewall functions plus the screening functions and different connections 
from different networks via standard network interfaces to the firewall (col.3, lines 36- 
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62). Baehr discloses the claimed edge connection corresponding to a network 
connection as a port or network Interface that is provided for each of the two networks 
and one or more ports are provided to one or more proxy networks (col.2, lines 8-15). 
Therefore, Bear reads on the claimed multi-homed firewall. 

Referring to Fig. 5 and 8, shows the private network 330 coupled via a network 
interface 410 to the screening system, the private network 335 coupled via a network 
interface 415 to the screening system, and the proxy network 430 is coupled to the 
screen via the network interface 420 (col.3, lines 36-62 and coL5, lines 35-41). Baehr 
includes two private networks 330 and 335 with different connections wherein the 
private network 330 can assume to be the first network (i.e. a corporate domain 
corp.sun.com - col.5, lines 43-47) and the private network 335 refers to the second 
network (i.e. an engineering domain eng.sun.com - col.5, lines 39-42). Baehr further 
discloses the proxy network includes proxies (virtual hosts) for both the eng.sun.com 
and corp.sun.com (col.5, lines 50-52). Thus, suggests the two different private 
networks include their own set of virtual proxy hosts. The claimed first edge connection 
corresponding to the first network connection can be the network interface connecting to 
a conresponding private network 335. The claimed second edge connection 
corresponding to first network connection can be the second network interface 
connecting to the second private network 330. Thus, obviously suggests a first edge 
connection comprising a first set of virtual hosts for processing connection requests 
from a first network and a second edge connection comprising a second set of virtual 
hosts for processing connection requests from a second network (col.5, lines 50-52 and 
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Fig.8). Although, Baehr discloses virtual hosts and ensuing connection request is 
mapped to the firewall machine of the array to respond to a DNS request associated 
with said ensuing connection request (col.6, lines 5-62 and col. 7, lines 28-34). 
However, the connection request does not involve an IP-compliant network and a 
private network through which a connection may be made between said IP-compliant 
network and said private network. 

Rosotoker discloses network technology has suffered from limitations resulting 
from a proliferation of non-standard protocols, and limitations due to the nature of the 
protocols and transmission schemes, which are employed (col.2, lines 22-26). 
Rosotoker discloses that under heavy traffic, any attempt to determine to which port a 
packet must be switched must be accomplished speedily to avoid slowing throughput of 
the network (col.2, lines 41-45). Rosotoker discusses the network protocol processing 
system interconnection comprises packet conversion logic for conversion between 
network protocol (col.4, line 66 - col. 5, line 1) where the invention is not necessarily 
limited to the particular protocols and standards used (coL25, lines 45-52). Rosotoker 
discusses the remote node connections typically exchange packets of data in Novell 
IPX, Microsoft NetBEUI, or Internet IP fomnat (coL7, lines 65-67). Thus, depending 
upon the protocol employed internally the data received over a particular port may 
require translation from one protocol to another (col. 18, lines 5-10) obviously suggests 
the received IP-compliant traffic being destined for said non-IP compliant destination. 
Further, Rosotoker discloses translating incoming packets in any protocol and outgoing 
packets in any different protocol (col.9, lines 28-31 ). Rosotoker discusses the ATM 
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protocol is preferred but can use other protocols (coL8, lines 55-58). Rosotoker teaches 
the conversion between a network protocol (i.e. IP-compliant) and the data protocol (i.e. 
non-IP compliant) used to handle large data streams such as.MPEG packets but not 
limited to these particular protocols (col.25, lines 44-53). By translating outgoing 
packets in any protocol obviously can transform the IP-compliant traffic into a non-IP 
protocol appropriate for a destination. Hence, Rosotoker obviously suggests an IP- 
compliant network and a private network through which a connection may be made. 

Therefore, It would have been obvious for a person of ordinary skills in the art to 
combine Baehr teaching network connectivity by allowing connections to be established 
with the virtual hosts with Rosotoker to teach translation/conversion from one protocol to 
another (Rosotoker - col.i8, lines 5-10) through which a connection may be made between 
said IP-compliant network and said private network because translating to a different 
protocol can accommodate the data stream of a non-IP compliant destination and 
providing connections to different network protocols to provide multiple external 
communication port connections transparent to the destined (Rosotoker-col.25, lines 
34-37 and 44-52). 

As per claim 36: See Baehr on col.6, lines 5-10 and 58-67 and col.7, lines 28-34; 

discussing load-sharing multi-homed firewall array of claim 35, further comprising 
means for mapping a connection request received from the IP-compliant network to said 
first set of virtual host means on the first firewall means to respond to a DNS request. 
As per claim 37: See Baehr on col.6, lines 5-10 and 58-67 and cpl.7, lines 28-34; 
discussing load-sharing multi-homed firewall array of claim 35, further comprising 
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means for mapping a connection request received from the private network to said 
second set of virtual liost means on the first firewall means to respond to a DNS 
request. 

As per claim 38: See Baehr on col.4, lines 25-50 and col.8, iines 40-45 and; 

discussing load-sharing multi-homed firewall array of claim 35, wherein each of said 
firewall means includes N + 1 sets of virtual host means. 



Conclusion 

5. Applicant's amendment necessitated the new ground(s) of rejection presented In 
this Office action. Accordingly, THIS ACTION IS IWADE FINAL. See MPEP 
§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 
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Any inquiry concerning this communication or earlier communications from the examiner 
should be directed to LEYNNA T. HA whose telephone number is (571) 272-3851. The 
examineir can normally be reached on Monday - Thursday (7:00 - 5:00PM). 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Vu can be reached on (571 ) 272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more infonmation about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private 
PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you 
would like assistance from a USPTO Customer Service Representative or access to the 
automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



